2.6. Firewall ConfigurationAs with any services that run on TCP/IP, the SMB networking services offered by Samba can be accessed from across the Internet unless your organization's firewall is configured to prevent it. The following ports are used by Samba for SMB networking and SWAT:
As stated in Chapter 1, SMB/CIFS is really not Internet-ready. There have been many security improvements in CIFS recently, including the use of Kerberos for authentication, packet integrity check (SMB signing), and Secure Channel communication. However, other than passwords, most data in CIFS networks travels in the clear. If your users require external access to Samba or Windows file servers, it is best to use some type of a Virtual Private Network to secure data in transit. See the O'Reilly book Virtual Private Networks, by Charlie Scott et al., for more information on this subject. Outside of a VPN solution, it is strongly advised that you block the appropriate ports from access by clients external to your network. In addition, you might wish to configure a firewall on the Samba host system to keep SMB packets from traveling further than necessary within your organization's network. For example, port 901 can be shut down for remote accesses so that SWAT can be run only on the Samba host system. If you are using Samba to serve only a fraction of the client systems within your organization, consider allowing SMB packets (i.e., packets on ports 137139 and 445) to go to or come from only those clients. For more information on configuring firewalls, see Building Internet Firewalls, by Elizabeth D. Zwicky et al. (O'Reilly). |